Tag Archives: WPS

WPS Brute Force follow-up information

On January 1st we posted a little bit of information regarding the Wi-Fi Protected Setup (WPS) brute force vulnerability. As a follow-up, I have performed a bit more research and analysis on the vulnerability and the attack tools. Here is a list of resources you might want to check out for more information: 

No Strings Attached Podcast 

I was privileged enough to participate in the @NSAShow’s episode 2 podcast: Wi-Fi Protected Setup, Battered or Broken? I highly recommend giving the podcast a listen as it contains a lot of good information. I’d also like to thank the host @revolutionwifi and the other guest @matthewsgast for a fun and insightful 45 minutes. 

Simply Wi-Fi 

We’ve already shared my video demonstration of how a WPS brute force attack works. Since then, I’ve created another video, seen below, demonstrating the use of a tool that identifies vulnerable wireless routers. I’ve also taken some frame captures of an attack and provided an explanation of the frames at different stages of the attack. Sample frames have also been made available for anyone who wants to take a closer look in Wireshark.


United States Computer Response Team (US-Cert) 

Here is the original vulnerability note created on December 27, 2011. It details the basic purpose of WPS and describes the vulnerability. 

Dan C.

If you are aware of any additional resources, please share them in the comments section below.

WPS Brute Force Concerns and Solution

Recently, a white paper was written by Stefan Viehböck which documented a few implentation weaknesses in the Wi-Fi Alliance’s Wi-Fi Protected Setup (WPS). Immediately following the release of the whitepaper, a new tool (called Reaver) was released publicly that could be used to brute force the WPS PIN, and therefore, gain access to the WPA/WPA2 pre-shard key (PSK). The attack takes 4-10 hours on average and has an extremely high success rate.

What does this mean for you?

If you are a home user with a relatively new wireless router, you are probably susceptible to this attack. Basically, if your wireless router is WPS-capable you should assume you are vulnerable.

How do you defend against this attack?

The solution is quite simple: disable WPS on your wireless router. This renders the attack useless and it becomes a non-issue for you.

Hey, wait a minute. How come you only mentioned home users?

WPS is a system designed specifically for non-technical people. It is widely implemented in SOHO wireless routers but is generally not an enterprise wireless feature. If you happen to be running SOHO gear in the enterprise, then you will need to see if you are vulnerable as well.

Just how easy is it to perform the attack?

Easy. Here is a quick video demonstration showing how the attack works, and how to protect against it. This video was created using freely, and readily available how-to documentation on the reaver code page.

The Bottom Line

If you are running enterprise gear, you probably have nothing to worry about. If you are running SOHO gear, then you need to look into this a bit further. Increasing the length and complexity of your PSK does not protect against this attack. You need to disable WPS until the protocol can be strengthened.

Oh yeah, and Happy New Year!

The NCI Blogging Robot

Questions? Concerns? Comments? Get it in touch with us below.